This Week, 6,500 Hidden Services were Ousted from the Darknet

The name Daniel Winzen may not mean much to the ordinary internet user, but on the darknet @daniel is the legendary nickname for the individual known for offering free anonymous web hosting, chat, e-mail, and XMPP/Jabber services on Tor for the last 5 years and perhaps longer. He started out humbly - installing a small number of Tor-based hidden services, or websites, on a Raspberry PI 2 - but over the years expanded his presence to hosting upwards of 7,000 hidden services per month for darknet users across Tor and I2P. That is, until last week.

Shortly after 10:00pm UTC on the 15th of November 2018, Daniel Winzen’s server was breached, databases accessed, and accounts deleted, including the root, or administrator account, rendering his services unusable. In less than three hours, the intruders deleted SQL databases for his chat, onion-link list, and hit counter. Hackers initially accessed the main phpMyAdmin and adminer panels using the correct hosting management password, inferring the password may have been harvested via phishing attempt or the server was accessed by someone with access to Daniel’s credentials. Daniel’s popular GitHub account also experienced a failed login for his popular software repository on November 9th, which has not been determined as related as of yet.

Daniel’s updates on his portal indicates that this hack was a “database only” breach.

Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in /home/ weren’t touched either. As of now there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs it is evident that both, adminer and phpmyadmin have been used to run queries on the database. 

According to updates posted to his surface net and darknet portal, Winzen is thoroughly investigating all potential vulnerabilities in his server before restoring services. He has also listed concern over a 0-day exploit, released exactly one day before the attack, in the imap_open() function of PHP that he has since patched.

30% of Online Domains Disappeared Overnight

Over 30% of the operational and active hidden services across Tor and I2P disappeared with the hack of Daniel’s Hosting Services and over 6-Million documents archived in DarkOwl Vision are no longer available on the darknet.

DarkOwl quantified the impact to the size of the darknet, specifically Tor, using its internal “Map the Dark” reporting, which includes statistics from darknet websites indexed over the previous 24-hour period. Our data substantiates the hosting provider’s offline status, with a delta of 4,887 domains going offline between the 15th and 16th of November. DarkOwl has indexed the archives of 5,300 domains from early November and has assessed them to be services that were formerly hosted on Daniel’s server.

Daniel’s previous online-link list advertised that he hosted over 1,500 private hidden services whose domain URLs are unknown at this time. DarkOwl’s estimated total number of domains hosted by Daniel are consistent with the 6,500 offline domains quoted by Daniel on his server portal.

657 of the hidden services have only title “Site Hosted by Daniel’s Hosting Service” and contain no meaningful content worth mentioning. Darknet hidden service domain could have been used for something other than serving web content.

Over 4,900 of the hacked domains are in English and 54 are Russian-language hidden services. Two of the oldest hidden services are interestingly in the Portuguese language.

Figure 2: Graph model showing Daniel’s main Tor domain and all the subdomains

Daniel’s hosting service, chatroom and online-link list have served as a pillar for the darknet community for years. For example, his online-link list is referenced by nearly 500 other hidden services, making it the second most commonly referred to directory listing (behind Fresh Onions) and providing a foundational starting point for new users navigating Tor.

Given that his services were provided free of charge and generally reliable against attack, there are mixed theories as to who could have wanted to destroy this mainstay of the anonymous online community.

Are Russian Hackers Responsible?

In recent weeks, Russian hackers on a website called www.antichat.com, outlined the technical details of exploiting PHP’s imap_open() function to extract password hashes for privileged accounts, as an alternative to brute force mining. Then, on Thursday (the same day as the attack), antichat.com forum staff member “Big Bear” posted a MEGA.nz link including a PDF, titled, “[RCE] 0-day в imap/c-client на примере PHP” (in English: [RCE] 0-day in imap / c-client using the example of PHP) detailing the imap_open exploit. The same post identifies the authors by the nicknames crlf and Twost, the latter of whom is also known as “Aleksandr.”

DarkOwl Vision shows darknet mentions of the alias Twost dating back to 2016.

The Anti Child-Exploitation Community

Daniel’s darknet notoriety increased in 2016 when he ported Lucky Eddy’s perl-CGI LE-Chat script into PHP with mySQL or PostgreSQL backend, optimizing the environment for Tor and decreasing the darknet community’s reliance on Javascript, thus allowing for image sharing inside a chat platform (which is not available via XMPP and IRC) without potentially compromising posters’ identities. As a result, Daniel’s LE-Chat code became a popular platform for the darknet pedophilia community, and the home for many well-known Child Pornography sharing chatrooms such as Tabooless, Camp Fire, and Child Priori.

Individual “pedo-hunters” and anti-pedophilia groups have called for hacking Daniel’s services using large-scale distributed denial of service (DDoS) campaigns, specifically because it was rumored that the principal administrator and some key staff members were active in pedophilia-specific chats.

Figure 3: Anonymous post suggesting the hack was motivated by an anti-pedophilia agenda

A Potential Law Enforcement Operation

Daniel’s Chat quietly resurfaced this past Saturday with a clean install and backup from early 2017, accompanied by a flurry of confusion over the assignments of administrator, moderators, and members. Without the comforting presence of the “regular” member database and credentials, users had no way to verify that anyone was who they said they were. Many legitimately feared that popular nicknames of members and staff had been spoofed by trolls trying to capture access to the members-only chat. One user on the darknet social media site Galaxy3 stated that @daniel re-installed the chat and that it “sounded like him,” although with a caveat that everyone should be cautious.

At the same time, others theorized the extreme possibility that @daniel had actually been arrested and the take-down was led by international law enforcement or the German police. Daniel’s hidden services experienced extreme DDoS in the weeks preceding the hack, similar to other law enforcement-led darknet seizure operations.

Anti-Syntax Club or an Inside Job

For over a year, the nickname Syntax has been referenced with either extreme love or extreme hate. Hundreds of trolls have posted across forums and paste sites about how this purportedly 17-year-old female teenager is responsible for taking down a number of pedophilia chatrooms and community leaders in recent years. Since early this fall, there has been an increase in the number of anti-Syntax trolls repeatedly calling for attacks against Daniel’s services, more specifically Syntax and her ally ChatTor, since she was promoted to Super Moderator of Daniel’s popular and drama-filled chatroom during the summer and accused of abusing the position.

Other members have suggested the remote possibility the attack on Daniel’s was led by Syntax and ChatTor so that they could take administrative control of the chatroom, although a recent image capture from ChatTor states that it was simply about being at the right place at the right time.

Looking forward

While the darknet is ever-changing, DarkOwl Vision has the most recent information to support darknet network analytics and capture changes to hidden services. DarkOwl analysts continue to monitor and will publish updates as more information is uncovered.

TheDarkOverlord has resurfaced on Kickass Forum

TheDarkOverLord announces that they are officially back in business (Source)

TheDarkOverlord, one of the threat actors that DarkOwl analysts routinely monitor, has apparently resurfaced last week. In a recent series of posts, an entity claiming to be TheDarkOverlord is advertising a database of personal health information as well as user information taken from an unnamed gaming site - both of which are being offered for sale to willing buyers.

TheDarkOverlord claims to have hacked “several medical practices”

In the post (pictured below), TheDarkOverlord advertises that they have over 67,000 patient records for sale, stolen from medical and dental practices in California, Missouri, and New York.

The forum listing advertises that these databases include personal and health information including full names, physical addresses, phone numbers, DOBs, driver’s license numbers, SSNs, medical histories, and much more. A specific price point was not provided; rather, the prices are “negotiable.” Interested buyers were instructed to send TheDarkOverlord an encrypted message using the forum’s private messaging system.

TheDarkOverlord also states that they’d be willing to entertain higher offers for data that “no one else will have,” giving the potential transaction a level of exclusivity that will likely attract a certain type of buyer and grab even more public interest.

Screenshot of TheDarkOverlord posting about medical records on Kickass Forum

Also for sale: a stolen database from a gaming website

On the same day, TheDarkOverlord posted a listing on the same Kickass Forum’s marketplace for 131,000 records from an “unnamed gaming website.” As advertised, these records include users’ email addresses, passwords, DOBs, IP addresses, and much more.

So far, it would appear that TheDarkOverlord is taking serious inquiries only. For example, in the comment section for the post below, someone asked for the name of the gaming website in questions, and TheDarkOverlord responded that they would like “proof of funds and intent to purchase” before disclosing any additional information.

After our update post last Friday discussing Dream Market, our analysts have continued to track what's happening around the recent law enforcement takedowns of the two largest darknet marketplaces, AlphaBay and Hansa. Data from our DarkOwl Vision platform revealed interesting statistics around the volume of darknet marketplace activity.

A recap of the marketplace takedowns

This past week, authorities revealed the seizure of two of the largest darknet markets, AlphaBay and Hansa. News of the seizure began circulating after AlphaBay mysteriously disappeared almost two weeks ago, bringing about the speculation of what many thought might be a massive exit scam. AlphaBay moderators Trappyand BigMuscles soothed market vendors and buyers on forums such as Reddit, claiming that AlphaBay was only down for server updates. After a few days of downtime and no indication of a timeline of when the market would return, longtime AlphaBay loyalists began flocking to Hansa, the second most popular darknet marketplace, in order to keep their businesses afloat. However, unbeknownst to and unfortunately for them, Dutch law enforcement had by this time already confiscated Hansa servers nearly a month prior with the arrest of two German Hansa administrators.

Dutch authorities reported in a press briefing last Thursday that by keeping Hansa operational after the arrest of the owners, they had been able to use the marketplace as a trap to catch vendors and customers fleeing AlphaBay. The authorities said that in the days after AlphaBay went down, the number of vendors operating on Hansa Market jumped from 1,000 on an average day to 8,000. Authorities leveraged this influx and used the time to gather information on high value targets, successfully identifying delivery addresses for sizable orders and passing 10,000 international addresses to Europol.

On Monday of last week, reports surfaced of an apparent suicide of one of the creators of AlphaBay, Alexander Cazes, in a Thailand prison just hours before he was scheduled to meet with his extradition lawyer. The two were to discuss Cazes' charges from U.S. Department of Justice for running an illegal darknet market, among a number of others, including money laundering. Cazes, also known as alpha02 and infamous VIP carder on The Carding Form, ceased to use the alpha02 moniker as of late 2014 and communicated on AlphaBay simply as Admin.

The whereabouts of Cazes' colleague and co-owner of AlphaBay, DeSnake, a security and hacking specialist, are currently unknown.

The Hansa takedown was the pinnacle of an investigation regarding drug dealers and traffickers in the Netherlands. In October, the Dutch police issued a warning to those active on darknet markets, listing targeted, active vendors' monikers, the names of over a dozen vendors they had arrested, and a list of targeted buyers. Their .onion site (below) is regularly updated to reflect recently apprehended vendors.

http://politiepcvh42eav.onion/

The latest updates

Over the past week, there has been a sense of panic across darknet market enthusiasts. Rumors are circulating that other markets, like Dream Market, are also compromised and all activity on darknet marketplaces should cease until the situation is more clear. Some are being more aggressive, commenting things like, “the darknet is falling over…” and suggesting shifts to peer-to-peer (P2P) markets, such as OpenBazaar and BitBay.

Even more extreme are those such as harshfang who on Reddit claimed that all of Tor is compromised. Harshfang said he would be looking into P2P based alternatives, like I2P and HORNET, in the near future. Could this be the direction the darknet is headed? Here at OWL Cybersecurity, we are successfully indexing data from I2P sites and other darknet platforms with our OWL Vision engine.

Many Hansa buyers are preparing for the worst, looking for both advice on how to wipe their hard disks and completely clear data (DBAN) and recommendations for criminal lawyers in their country.

One could surmise this panic could potentially lead to a decrease in the use of Tor in coming months. While the scale on metrics.torproject.org is rather large, there appears to be a noticeable decrease in the number of “directly connecting users” since early July. We suspect this number will decline until the dust settles and new, more secure markets are established.

A decrease in darknet market volume

Our analysts took a look at data from DarkOwl Vision, our database of darknet content (DARKINT), to see if there was a similar correlation to the number of hidden services over a similar time period as the users chart above.

While the total number of hidden services crawled by the engine increased by 3% over the last six weeks, the total number of sites we classified as MARKETS had a notable decrease, over 20% across the same time period. Clearly not all of these sites are hidden services related to the AlphaBay and Hansa marketplaces, but it is conceivable that the recent law enforcement operations and subsequent takedowns have prompted the preemptive shutdown of a number of vendor operated sites, such as the two dozen or so listed vendors listed on the Dutch police run darknet site mentioned earlier in this post. Further supporting this theory is the fact that our analysts surveyed the top twenty most popular vendors shops of the darknet, such as Dutch Drugs, The French Connection, and DeepStatus, and over 40% of them are not currently operational.

While the total number of hidden services crawled by the engine increased by 3% over the last six weeks, the total number of sites we classified as MARKETS had a notable decrease, over 20% across the same time period.

Over the next week we will continue to watch the shape and size of the Darknet as a result of this incredible law enforcement effort and bring you more updates as they become available.

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

The Goods & Services of a Darknet Market

In a series of earlier posts, we introduced you to darknet marketplaces, the e-commerce sector of the darknet. We not only shared the history of the fascinating trading and marketplaces, i.e. Silk Road, but also shared some insight into who the current market leaders are and how to safely navigate and transact with vendors in this arena through the follow-up pieces on cyptocurrency. While there used to be only one or two principal players in this space, there are now thousands of vendors distributed across some 50 markets who are actively trading across the deepest and darkest parts of the internet.

Darknet Market Leaders

While there are numerous markets now actively offering goods and services on the darknet, the top three sites that rule in total number of listings, vendors, and overall activity are: AlphaBay, Hansa, and The Dream Market. We discussed last time how to access these darknet markets, and how cryptocurrency transactions work. Today, we will venture more into the categories of the types of goods and services on offer and the specialties of each of these markets. Bear in mind, these marketplaces change rapidly and the data discussed below is a snapshot of each market during the last week in April (4/21/17 - 4/28/17).

ALPHABAY

AlphaBay Marketplace is one of the best looking, fully-functional markets on the Darknet. Its uptime is well over 95% and the site refreshes most expediently. According to DeepDotWeb, AlphaBay was founded by a reputable and foundational member of the carding community, alpha02 and DeSnake. Alphabay saw a major surge of users (over 18,000 registrations) shortly after the demise of the Evolution Market in early 2015 due to one of the largest known darknet exit scams, second to The Sheep Market exit scam we tweeted about earlier this week. For this reason, Alphabay takes security quite seriously offering multisig transactions, Finalize Early (FE) for verified vendors, and regular Escrow accounts.

Alpha Bay also recently announced they will be accepting Ethereum transactions starting on May 1st, 2017 and were one of the first markets to support alternate cyptocurrencies such as Monero. Despite their owner’s origins in carding, Alphabay has a wide mix of products on offer, and lead the pack with over 200,000 listings (68% of their market) dedicated to drug related offerings.

Most notibly, AlphaBay is the only market in the top three we reviewed with vendors offering actual handguns, CS gas, and explosives as opposed to manuals or ammunition. It has a category dedicated to offering weapons, totaling over 4,000 listings, and the burgeoning burglar can even use AlphaBay to purchase their “Thief Mask – Hide Face” for less than $20 USD.

HANSA

The youngest of our top three markets surveyed, Hansa, also known as the market with the little red pirate ship, is currently trending to be more reliable than AlphaBay at an uptime statistic of 99.03% as reported by dnsstats.net. Not affiliated with the Hansa marketplace that was hacked Hansa is built upon, as they call it, a trustless system as they rely heavily on the multisig transaction system to prevent vendors as well as the site staff to access the deposited virtual currency until the buyer finalizes the transaction. They also refuse to offer any “Finalize Early” option, regardless of vendor reputation and buyer-vendor relationship.

Hansa differs from other markets in that they are not exclusively known for being a drug market. In fact, less than half of their listings are drug related. Instead, they have the highest offering of any market of guides and tutorials and feature an extensive selection of digital goods including database leaks, numerous listings for purchasing access to adult websites and content, and even the more bizarre listings such as an offer for over 300 secret recipes from top American food chains or the “FBI’s software investigation tool.”

THE DREAM MARKET

The Dream Market has the longest historical running on the darknet, trading since 2013, but despite their longevity and simplified user interface, the site does not look or feel as well thought out as Alphabay, despite leading Hansa in the total number of listings. Market reviews on DeepDotWeb are extreme with many stating they had been scammed or treated rudely by the market admins, but those could easily have been entered by competitors of the market.

The Dream Market has a pretty steady uptime of 96.42% and supports not only multisig transactions, but Finalize Early and two-factor authentication (2FA). Unlike AlphaBay, Dream Market only supports bitcoin transactions. It has simplified its listings into 5 principal categories, dominated in total listings by digital goods and drugs. However, the total listings per category do not match the totals given in the sub-categories, suggesting that the total number of listings we analyzed may have an error of somewhere between 4 and 15%. Dream Market relies solely on the escrow system for purchases and despite offering a vendor rating scheme that includes vendor scoring from other markets like Agora and AlphaBay.

Unlike most markets, Dream Market does not offer any rating system for buyers to help reduce the likelihood of a Federal or Local Law Enforcement Agency from trying to infiltrate and lure the vendor.

There are nearly 7,000 additional listings dedicated to Guides, including the “How to Get a Girlfriend” guide for those socially awkward teenage hackers perusing the Darknet.

The Dream Market does however, offer the highest percentage of offerings dedicated to digital goods, with over 2,000 listings for e-books alone covering everything from digital privacy to trigonometry.

THE TOP GOODS

This week, DarkOwl Cybersecurity Analysts took a snapshot of the market categories and total number of listings across the top 3 markets and found that drugs and digital goods comprise over 70% of the listings of each marketplace. After analyzing over 450,000 listings across the top three darknet markets, we tallied these statistics to draw some initial conclusions.

While AlphaBay dominates the Darknet in drug-related listings, they trail behind Dream Market in digital good offerings; however, Dream Market’s oversimplification of categories, and possible mis-categorization of listings, made it difficult to decipher the listings into their respective sub-categories.

In addition to drugs and digital goods, a significant portion of the listings across these three markets include: fraud items (e.g. personally identifiable information, database dumps and account logins); guides and tutorials; adult content; counterfeit related items such as passports, clothes, currency; and services, including social engineering and carding support.

Other categories worth mentioning comprise less than 10% of the total marketplace offerings, including weapons (primarily offered on only AlphaBay), jewelry (consisting of mainly Rolex watches), electronics, and security and hosting related items, which have seen an uptick in listings with recent concerns over the true anonymity of darknet activity.

We also observed that many darknet vendors trade across all three markets, as such the total number of listings do not necessarily represent unique individual offerings. We intentionally chose not to discuss the aliases most active on these markets but will explore the dark world of darknet marketing/advertising and customer service for these adventurous entrepreneurs in a later post.